Описание
svelte is vulnerable to XSS with textarea bind:value
Summary
A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.
Details
In SSR, <textarea bind:value={...}> does not have its value escaped when it is rendered into the HTML as <textarea>...</textarea>.
PoC
Put this in a server-side-rendered Svelte component:
<script>
let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`;
</script>
<textarea bind:value />
Impact
- Only affects SSR
- Needs a
<textarea bind:value>filled by user content via two-way binding
Пакеты
Наименование
svelte
npm
Затронутые версииВерсия исправления
>= 3.0.0, < 3.59.2
3.59.2
8.4 High
CVSS4
Дефекты
CWE-79
8.4 High
CVSS4
Дефекты
CWE-79